Improvements and Challenges in Health Privacy Law

The economic stimulus bill signed by President Obama on February 17 included provisions making significant improvements in federal health privacy law. The changes are complicated and incremental. They build on existing privacy and security rules issued under the Health Insurance Portability and Accountability Act (HIPAA). The new protections do not constitute the comprehensive framework that CDT has recommended, but they take positive steps in that direction. CDT will be working with policymakers and interested stakeholders to ensure that the changes are implemented in a way that helps break the privacy logjam that has impeded progress on health IT. We will also continue to work to fill the gaps in the health privacy framework.

The economic stimulus bill signed by President Obama on February 17 included provisions making significant improvements in federal health privacy law. The changes are complicated and incremental. They build on existing privacy and security rules issued under the Health Insurance Portability and Accountability Act (HIPAA). The new protections do not constitute the comprehensive framework that CDT has recommended, but they take positive steps in that direction. CDT will be working with policymakers and interested stakeholders to ensure that the changes are implemented in a way that helps break the privacy logjam that has impeded progress on health IT. We will also continue to work to fill the gaps in the health privacy framework.

The stimulus bill is officially known as the American Recovery and Reinvestment Act of 2009 (ARRA). Title 13 of that legislation, the Health Information Technology or HITECH section, includes $19 billion in funding to support adoption of electronic health records and development of the National Health Information Network begun under the previous administration.

Survey data shows that Americans are well aware of and eager to reap the benefits of information technology as applied to healthcare (HIT). A large majority of the public wants electronic access to their personal health information – both for themselves and for their health care providers – because they believe such access is likely to increase their quality of care.

At the same time, however, people have significant concerns about the privacy of their medical records, posing the risk that people will not trust, and therefore will not use, electronic health records systems if they do not protect privacy and security. These concerns are well founded. As the repeated reports of both small-scale browsing and large-scale breaches demonstrate, serious vulnerabilities exist now and could grow with the increasing flow of data.

The HIPAA privacy and security regulations that took effect in 2003 were a landmark, but they fell far short of providing adequate protection either in the traditional healthcare arena or for the rapidly evolving e-health environment. In the past year, CDT’s Health Privacy Project has both outlined a comprehensive health privacy framework and recommended incremental legislative improvements that would move the nation closer to that framework. ARRA incorporates many of CDT’s suggestions.

2) New Law Expands Scope of Federal Health Privacy Protections, Adds New Rights

ARRA includes a number of provisions expanding or clarifying the scope of federal health privacy law.

One important set of changes concerns what are known as “business associates.” Under HIPAA, “business associates” contract with HIPAA covered entities to perform particular services or functions on their behalf using protected health information. Before ARRA, business associates were not directly covered by HIPAA and instead were obligated to comply with privacy rules only to the extent required in their contracts with covered entities. Federal authorities could not hold business associates accountable for failure to comply with their contracts and could hold covered entities liable for the actions of their contractors only in limited circumstances.

ARRA makes a major change in the treatment of such “business associates.” Under ARRA, business associates must abide by nearly all of the HIPAA regulations on data security (Section 13401); must directly comply with all of the new privacy provisions enacted in ARRA (Section 13404); and can be held directly accountable for failure to comply with any HIPAA Privacy Rule provisions made applicable through their contracts with covered entities (Section 13404).

ARRA also made it clear that HIPAA applies to new forms of organizations that facilitate exchange of personal health information among covered entities. Prior to ARRA, these state and regional health information organizations or health information exchanges (also known as RHIOs or HIEs) might not have been covered by HIPAA privacy and security regulations. ARRA made it clear that RHIOs and HIEs are to be treated as business associates under HIPAA (Section 13408). As a result, those entities are now required to directly comply with key HIPAA regulatory provisions.

ARRA also improved the rights of individuals to find out who has obtained copies of her records. The HIPAA Privacy Rule has always included the right to request an “accounting of disclosures” of one’s identifiable health information going back for a period of six years prior to the date of the request. The right, however, was limited prior to the passage of ARRA, since it excluded disclosures for treatment, payment and health care operations. ARRA changed the federal rule on accounting for disclosures, requiring a covered entity that maintains electronic health records to account for disclosures for purposes of treatment, payment and business operations for three years prior to the date of the request (Section 13405). This provision will apply to both covered entities and business associates – which means it will apply to electronic health information networks like RHIOs and HIEs as well. Although this provision will not go into effect until a technical standard and regulations have been adopted to properly implement it, it represents a major change in the transparency of health data uses and flows.

ARRA also established, for the first time under federal law, very strong “breach notification” standards, requiring custodians of health data to notify individuals when their health records are lost or stolen. ARRA’s national breach notification requirement applies to HIPAA-covered entities, vendors of personal health records services (PHRs) and the third-party applications that are offered to PHR account holders on vendors’ web sites (Sections 13402 and 13407).

3) Enforcement Powers Strengthened

In the past, there was very little enforcement of HIPAA. The Office for Civil Rights within HHS, charged with enforcing the HIPAA privacy regulations, had not levied a single penalty against a HIPAA-covered entity in the nearly five years since the rules were implemented, even though that office found numerous violations of the rules. The Justice Department had levied some penalties under the criminal provisions of the statute, but a 2005 DOJ opinion said that the criminal provisions applied only to covered entities, not to individual employees who improperly accessed, used or disclosed a patient’s protected health information.

In ARRA, Congress took a number of steps to strengthen HIPAA enforcement (Sections 13409-13411):

ARRA expressly authorizes state attorneys general to enforce HIPAA through civil enforcement actions.

Business associates are now directly responsible for complying with key HIPAA privacy and security provisions and can be held directly accountable for any failure to comply.

Civil penalties for HIPAA violations were significantly increased. Under ARRA, fines of up to $50,000 per violation (with a maximum of $1.5 million annually for repeated violations of the same requirement) can now be imposed.

HHS is required to impose civil monetary penalties in circumstances where it finds that a HIPAA violation was willful.

The criminal provisions were expressly made applicable to individuals.

The HHS Secretary is now required to conduct periodic audits for compliance with the HIPAA Privacy and Security Rules.

4) New Law Faces Implementations Challenges, and Gaps Remain in Health Privacy Protection

Moving forward to ensure comprehensive protection of health privacy will require a new commitment to enforcement, which has been lacking for far too long, and carefully crafted regulations and other guidance to flesh out statutory requirements. Several of ARRA’s key provisions require rulemaking by the Secretary of HHS to specify details. Successful implementation of the new federal rules will also require industry initiative, standards activity, and legislative oversight. The Act creates two advisory committees, one on policy and one on standards, to advise the Secretary on implementation issues. And, of course, allocating the $19 billion in HIT funding and spending it wisely will require careful attention.

In addition, further legislative improvements will be needed to keep pace with changes in technology and business models. There remain significant gaps in privacy protection. For example, while ARRA’s extension of key protections to health information exchanges is important, federal law does not give patients the right to control whether or not their information is exchanged through networks like HIEs or RHIOs in the first place. CDT has concluded that, so long as the business model and future direction of most RHIOs and HIE networks remain uncertain, patients should have the protection of an opt-in standard for inclusion of their information in such networks.

In addition, ARRA does not establish privacy rules for personal health records (PHRs) and other Internet-based services that operate outside the traditional healthcare structure. In CDT’s view, it is not sufficient to merely extend HIPAA to PHRs. Instead, rules need to be crafted that are tailored to the unique issues posed by patient-controlled records. ARRA requires HHS to work with the Federal Trade Commission (FTC) and report to Congress on privacy and security protections that should apply to PHRs. This report, which must be submitted no later than February 17, 2010, must also consider which agency is best equipped to enforce the recommended protections and a timetable for further regulation.

Also, as amended by ARRA, HIPAA still does not include a private right of action, leaving individuals dependent on government authorities to vindicate their rights under HIPAA.

Another issue that was not fully resolved in ARRA is the use of data for marketing, which is a major area of consumer concern. ARRA did attempt to close a “loophole” in the HIPAA Privacy Rule that allowed for personal information to be used without individual authorization to send health-related marketing communications paid for by outside entities like pharmaceutical companies and device manufacturers. Under ARRA, health-related communications sent by physicians, hospitals, health plans and pharmacies that are paid for by outside companies are considered to be marketing and require individual authorization. However, ARRA still allows payments for communications where the communication itself falls within HIPAA’s broad definition of “treatment” or where the communication is about a prescription the individual is currently taking (as long the amount paid for that communication is “reasonable”). There is considerable confusion about the scope of these exceptions, or what constitutes a “reasonable” level of external sponsorship. To ensure individuals are adequately protected against having their personal health information used for marketing purposes without their authorization, HHS will need to clarify these issues in regulation and further action from Congress may be needed.